Hacking Team Android malware could hack 500m Android devices

Malware researchers reckon the Hacking Team leak has given criminals a “weaponised” toolset that could be used to hack half a billion Android users.

Researchers at Trend Micro have dissected yet another piece of malware exposed in the 400GB of Hacker Team files leaked by someone last Sunday.

The latest is the Hacking Team’s open-source mobile malware suite dubbed Remote Control System Android or RCSAndroid — the company’s lawful intercept product that helped law enforcement agencies around the world compromise and monitor a target’s Android device. And like many others in the security industry, a Trend Micro researcher is impressed with the firm’s handiwork behind the Android attack tool.

“The RCSAndroid code can be considered one of the most professionally developed and sophisticated Android malware ever exposed,” said Veo Zhang, a mobile threat analyst with Trend Micro.

The real problem, now that the Hacking Team’s files have been leaked, is that just under half of the more than one-billion Android users across the world could become the target of non-government hackers that use the foundations of Hacking Team’s professional surveillance kit to build information-stealing software.

“The leaked RCSAndroid code is a commercial weapon now in the wild,” Zhang noted, adding that it could offer them a “new weaponized resource for enhancing their surveillance operations.”

“Should a device become infected, this backdoor cannot be removed without root privilege. Users may be required the help of their device manufacturer to get support for firmware flashing,” wrote Zhang.

Details of the RCSAndroid were first brought to light by a Citizen Lab report last year however its analysis was derived from leaked technical documentation that Hacking Team provided to its customers in 2013. It revealed an array of modules that enabled an attacker to log keystrokes, access saved passwords, record calls, take screenshots, use the device’s camera, create silent conference calls, record audio and more.

Citizen Lab also found the Hacking Team used a fake news app distributed via Google Play to deliver its payload — a technique that was also confirmed last week by Trend Micro in files from the company.

Trend Micro’s analysis of RCSAndroid found the same capabilities, but fleshed out a few details. RCSAndroid can, according to Trend, capture real-time voice calls in any network or app; collect passwords for popular apps including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn; collect Gmail messages; and decode messages from messenger apps including Facebook Messenger, WhatsApp, Skype, Viber, Line, WeChat, Hangouts, Telegram, and BlackBerry Messenger.

Zhang said RCSAndroid had been in the wild since 2012 and used two key methods to lure targets. The first was a specially crafted URL sent by email or SMS that trigger exploits for two vulnerabilities in the default Android browser that shipped with all Android devices prior to Android 4.4.4 (KitKat).

If criminals do leap onto the Hacking Team source code, it could spell troubles for a large portion of Android users with devices that can’t be updated to KitKat. Google’s figures for Android devices hitting the Google Play app store in May show that 48 percent of over one billion Android devices are on pre-KitKat Android and therefore would be vulnerable to Hacking Team’s attack kit.

The other method relies on trickery. Trend Micro discovered the “BeNews” app (ANDROIDOS_HTBENEWS.A) that was distributed on Google Play and used as a vehicle to deliver a Hacking Team shell backdoor, which has an evidence collecting module and another that kicks into action when it appears a user is attempting to purge the malware.

Cybercriminals are also likely not concerned about new legislation that imposes restrictions on the export of intrusion software sold by Hacking Team and others.

The Hacking Team on Wednesday hit back at media reports criticising it for selling its software to repressive governments such as Sudan and Ethiopia, claiming that it was compliant with EU regulations based on the Wassenaar Arrangement when they came into effect in January. Under EU law, Italy is required to regulate the export of intrusion software — now considered a dual-use technology that can be deployed with military or civilian aims — as well as outright weapons.

“The sale of “weapons” have been banned to certain countries. Hacking Team technology has never been categorized as a weapon. At the time of the company’s only sale to Sudan in 2012, the HT technology was not classified as a weapon, arms or even dual use,” said Eric Rabe, Hacking Team’s communications officer.

“In fact, it is only recently that has Hacking Team technology been categorized under the Wassenaar Arrangement as a “dual use technology” that could be used for both civil and military purposes. Dual use technologies are regulated separately from weapon technologies.”

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.